My scenario is as follows, a .NET 4.0 Solution with several projects (one host and some dlls), one (dll) in particular making use of the MySQL .NET Connector in order to only call upon stored procedures. I've also signed all my assemblies with a private key.
I'm curious if a hacker could somehow obtain the password to the database user from the connection string (even though that user only has permission to EXECUTE).
Also I'm curious whether a hacker would be able to find out the stored procedures I call on and whether he could Select/Insert/Delete arbitrarily with the use of my stored procedures.
All this with the presumption that the hacker only has a copy of the compiled solution.
If you have hard-coded the user name and password in your code, or even if you store the credentials in an encrypted file, but the encryption key is hard-coded in your code, it is easily hackable because .NET assemblies are not compiled to machine code. When you build a .NET assembly, it converts your VB.NET code into MSIL code, which is just a lower level programing language which is still easily readable. Microsoft provides a free tool (as part of the .NET Framework SDK) called MSIL Disassembler which allows you to easily view all the MSIL code for any compiled assembly. There are many tools available which allow you to easily take the MSIL code and "decompile" it to VB or C# code. You'd be amazed at how easy it is to reproduce your original code with a .NET decompiler. If the PDB's are available, the output is shockingly similar to the original code. So, unless you are using some third-party code obfuscation or assembly encryption tool, your "compiled" assemblies are very easily reverse engineered. Usually this isn't a big deal, but if avoiding hacking is a high concern, you certainly shouldn't be putting any secrets in your code.
Are you confident that all of the code in the project is safe from things like SQL Injection vulnerabilities and Local File Inclusion vulnerabilities (and will remain so, as it evolves)?
Related
I have discovered that our SQL statements are appearing in our compiled DLL files in our WinForms projects. What are some good methods of hiding these statements in the DLL files?
The term you are looking for is obfuscation and there are several commercial products that will do that, as well as some open source ones.
Bear in mind, that someone determined enough will be able to see the strings. That can be done through de-obfuscation techniques or by examining the strings at run time with a debugger like WinDbg.
Obfuscators should be used to protect intellectual property, at best. They should not be counted on for the security of your application. If you are hard coding credentials in your application, I would instead re-consider where they are getting stored or retrieved from. There is no "one-size" answer for that.
I have just reversed a crackme in OllyDbg, and I was wondering if I can modify its code with application written in VB.NET. For example, to change JNZ (on specified address) for JMP.
EDIT:
I see there is a misconception. I was talking about creating patcher in Visual Basic.NET(programmatically change EXE code) to patch already reversed application. I know about Write/ReadProcessMemory that allows me to inject code after application execution(in that case it's loader not patcher), but how to overwrite EXE permanently?
Changing JNZ to JMP is kind of bypassing some kind of verification inside application (serial number of if it is purchased or not, so if you have the source code, you can just comment which lines you don't want your application to execute
Patching a compiled program is possible with certain tools, you can even do that in runtime with code injection.
But, as i understand from your question, you're talking about a vb .NET application and not a regular VB application.
VB .NET applications compiles to bytecode (MSIL code) and not binary like regular VB applications, which makes it even more easier to reverse, you can actually "decompile" the .exe file to it's source code with a tool like ILSPY (see google), patch it, and then re-compiled it.
I need a low level OLE control for reading, creating and modifying pdf files. I will use it with Visual FoxPro. By low level I mean that I won't need any extra software to install on the client machine.
Long story short, I need something like iText.
Preferably free or cheap.
Thanks.
QuickPDF includes a pure Win32 DLL based version and is reasonably cheap at $249 with no runtime license fees. You would just need to copy the DLL in the same directory as your application.
www.quickpdf.com
I don't know what you mean about "open"ing DLLs, however, VFP CAN make calls to DLLs via DECLARE statements to expose them... its done quite regularly with many Windows API calls.
However, you specific need of dealing with PDFs to modify poses another question... What is it you plan on trying to "modify"?
I have written a program in vb.net 2008 (using .net 3.5). It's a decent size program. One part of this program is to access an online database and encrypt/decrypt files. To access db I use a hardcoded password. To encrypt/decrypt files I used a hardcoded key. No matter what I do I would need to hardcode one of the two things at least. For example: even if I store database password in an encrypted file I would need to hardcode key to decrypt it. Or vice versa.
So after doing some thinking I figured that I need to obfuscate my code so that at least these hardcoded elements/values wont be visible easily. Infact to test, I used a program to disassemble my program. And to my amazement, it showed me every line of code in my program. I felt as if my entire code is pasted in my exe.
Thus I need to obfuscate my code. See I do not need too advanced settings. My program is not among the top shareware programs or super popular that I need very high security. But I need enough security so that my basic code, variables and sensitive information (password etc) is not visible.
Please help me choose a good obfuscator which will do the job. It should not be too tedious to use and should be sufficient for me. Plus it should be trusted and secure. I mean I don't want my application to crash or be unstable after I obfuscate it.
I have downloaded trial of .net reactor from Ezriz and it seems to be fine. What do you guys suggest? I cannot affort something over $200. So is this product worth going for. You guys know better.
Thank you for your support.
Cheers,
Saurabh
Obfuscation cannot solve this problem. An attacker can change his hosts file to redirect the domain name to a database he controls. When you login he will get the username/password.
Another attack would be to use a debugger like ollydbg to obtain the username/password in memory. The username/password must be in clear text prior to use, and an attacker will be able to find it.
Security Through Obscurity will never work. You will never be able to control the client.
A better approach is to setup a a SOAP (WCF) server to abstract your database operations. The logic for building the queries must be server side. Assume that an attacker has full access to any functions you expose via SOAP.
I use Eziriz .NET Reactor for a while now and it works great for me. I used Eazfuscator before but it wasn't really powerful.
.Net Reactor has awesome features such as Anti ILDASM and Native Exe file generation. Also it'll fit your budget. You can use Trial before purchasing it and test if it works with your scenario.
You should strongly consider Babel .net obfuscator. In my opinion even though it is a console application it is by far the best for price, licensing (not locked to a single computer) and features.
I use Eazfuscator:http://www.foss.kharkov.ua/g1/projects/eazfuscator/dotnet/Default.aspx
It powerful and it's free. Wonderful tool extremely simple to use.
Since MS appears to have killed Managed JavaScript in the latest DLR for both server-side (ASP.NET Futures) and client-side (Silverlight), has anyone successfully used non-obsolete APIs to allow scripting of their application objects with JScript.NET and/or can explain how to do so? A Mono/JScript solution might also be acceptable, if it is stable and meets the requriements below.
We are interested in upgrading off of a script host which uses the Microsoft JScript engine and ActiveScript APIs to something with more performance and easier extensibility. We have over 16,000 server-side scripts weighing in at over 42MB of source, so rewriting into another scripting language is out of the question.
Our specific requirements are:
Noteably better performance than the Microsoft JScript (ActiveScript) engine
Better runtime performance and/or
Retention of pre-parsed or compiled scripts (don't reparse on every run)
Lower or equal memory consumption
Full ECMA-262 ECMAScript compatibility
a little porting can be tolerated
Injection of custom objects into the script namespace
.NET objects (not a hard requirement)
COM objects or COM objects wrapped in .NET
Instantiation of COM objects from Script
à la "new ActiveXObject(progid)"
Low priority given the preceeding
Include files
Pre-loading of "helper scripts" into a script execution context
An "include" function or statement (easy to create, given the above)
Support for code at global-scope
Execution of code the global scope
Retention of values initialized at global scope
Extraction of values from the global scope
Injection and replacement of values at the global scope
Calling of script-defined functions
with parameters
and with access to the previously initialized global scope
Source-level debugging
Commercial or Open Source Support
Non-obsolete APIs
I answered a similar question here. Have a look at IronJS, an implementation of JavaScript in F# running on the DLR.
Sooner or later, I imagine someone will write a DLR Javascript. I know that's not very convenient for you right now, but maybe you could start the project. I suspect it would have a better cost/benefit analysis to using JScript.NET.
If moving away from .NET and Microsoft is ok for you then you should try Mozilla's Rhino. It is an open-source implementation of JavaScript written entirely in Java. Alot of modern server side js libraries target this platform.
I have used CSScript.net as it will allow you to run C# as a scripting platform. From the site:
CS-Script combines the power and
richness of C# and FCL with the
flexibility of a scripting system.
CS-Script can be useful for system and
network administrators, developers and
testers. For any one who needs an
automation for solving variety of
programming tasks.
CS Script satisfies all the conditions that you laid out. I have used it in production as a substitute for Boo it has performed really well. You can see it in action here.
The use of Com interop means you are limited to an MS solution Java and Opensource want as little as possible to do with it.
I dont see any solution that supports all your requirements either you ditch all the COM/.NET stuff and go Java (Rhino) /Linux/Open source or you question the use of Javascript as your server language even in the Linux world we use PHP/Python/Ruby more on the server if we cant run Java. Your not going to see big performance gains with Java script as the language is the main barrier.
I wouldnt count on people writing a new DLR as server Java script is dying fast.
Considering you want performance ,what about F# , Microsoft will keep the Jscript engine supported for at least 5 years giving you time to create new stuff in F# while you slowly migrate the code.
Have you seen ROScript?
http://www.remobjects.com/script.aspx
Supports both PascalScript and ECMAScript (Javascript) syntax
The Jurrassic-Engine is alive and kicking.
From their codeplex site:
Supports all ECMAScript 3 and ECMAScript 5 functionality, including ES5 strict mode
Well tested - passes over five thousand unit tests (with over thirty thousand asserts)
Simple yet powerful API
Compiles JavaScript into .NET bytecode (CIL); not an interpreter
Deployed as a single .NET assembly (no native code)
Basic support for integrated debugging within Visual Studio
Uses light-weight code generation, so generated code is fully garbage collected
Tested on .NET 3.5, .NET 4 and Silverlight